The modern web infrastructure landscape has fundamentally shifted toward containerization, with NGINX standing as a cornerstone of high-performance application delivery, load balancing, and web serving. As organizations migrate from traditional virtual machines to lightweight, isolated container environments, the deployment and management of NGINX have become more nuanced, requiring a deep understanding of Docker and Podman mechanics, image registries, licensing structures, and configuration persistence strategies. This exploration delves into the technical intricacies of running NGINX and NGINX Plus within containers, covering everything from basic image selection and build processes to advanced volume mounting, environment variable configuration, and integration with enterprise management platforms like NGINX One. The guidance provided herein addresses both the open-source NGINX distribution and the proprietary NGINX Plus platform, detailing the specific commands, file paths, and architectural decisions necessary to maintain robust, scalable, and secure web services. Whether utilizing standard Docker Engine, Red Hat’s Podman, or private enterprise registries, the underlying principles of containerized NGINX deployment remain consistent, yet the execution varies significantly based on the chosen operating system base, licensing requirements, and desired level of automation.
Fundamental NGINX Image Architecture and Default Configurations
At the core of any NGINX container deployment is the official NGINX image, which serves as the foundation for most containerized web serving tasks. The default NGINX configuration within these images is structured to provide a predictable and secure starting point for developers and system administrators. By default, the NGINX image designates /usr/share/nginx/html as the container’s root directory for serving static content. This means that any HTML, CSS, JavaScript, or media files placed in this directory will be accessible to clients requesting resources from the web server. Concurrently, the configuration files that dictate how NGINX behaves, including server blocks, location directives, and upstream definitions, are stored in the /etc/nginx directory. This separation of content and configuration is a critical design principle, allowing administrators to update server behavior without altering the served assets, and vice versa.
Understanding these default paths is essential because they determine how data must be mounted or copied when customizing a container. When a user deploys an NGINX container without any additional configuration, it will serve the default welcome page located in /usr/share/nginx/html using the standard settings found in /etc/nginx/nginx.conf and associated configuration files in /etc/nginx/conf.d. This default behavior ensures that a freshly pulled and run NGINX container will immediately respond to HTTP requests on port 80, providing a reliable baseline for further customization. The image is designed to be stateless in terms of its core configuration, meaning that any modifications made inside the container will be lost unless explicitly persisted through volumes, binds, or by building a new custom image. This stateless nature aligns with container best practices, encouraging immutable infrastructure where changes are applied by rebuilding images rather than modifying running containers.
Binding Host Directories to NGINX Containers
One of the most common and powerful methods for customizing an NGINX container is through the use of bind mounts. This technique allows a Docker host’s local filesystem directories to be directly mapped into specific directories within the running container. This approach is particularly useful when content and configuration files are maintained on the host system, as it enables real-time updates without the need to rebuild the container image. For instance, if an organization maintains its web content in the local directory /var/www and its NGINX configuration files in /var/nginx/conf on the Docker host, these directories can be bound to the container’s internal directories.
To execute this binding, the docker run command must include mount specifications that define the source directory on the host and the target directory within the container. The command structure requires specifying the mount type as bind, the source path on the host, and the target path inside the container. Additionally, the readonly option is frequently employed to enhance security by preventing the container from modifying the host’s files. The following command demonstrates how to deploy an NGINX Plus container with these specific bind mounts:
docker run --name mynginx2 \
--mount type=bind,source=/var/www,target=/usr/share/nginx/html,readonly \
--mount type=bind,source=/var/nginx/conf,target=/etc/nginx/conf,readonly \
-p 80:80 \
-d nginxplus
In this configuration, the --mount flag is used twice to establish two separate bind mounts. The first mount binds the host’s /var/www directory to the container’s /usr/share/nginx/html directory, ensuring that any web content on the host is served by the container. The second mount binds the host’s /var/nginx/conf directory to the container’s /etc/nginx/conf directory, allowing custom configuration files to override or supplement the default NGINX settings. The readonly option ensures that these directories are write-protected from within the container, meaning that any changes to the configuration or content must be made on the Docker host. This immutability within the container is a critical security feature, as it prevents malicious processes inside the container from altering the host’s filesystem or corrupting the NGINX configuration.
The -p 80:80 flag maps port 80 on the host to port 80 in the container, making the web server accessible to external clients. The -d flag runs the container in detached mode, allowing it to run in the background. The image specified is nginxplus, which indicates the use of the proprietary NGINX Plus distribution. This command structure is highly flexible and can be adapted to any host directory structure by simply changing the source parameters. Any changes made to the files in the local directories /var/www and /var/nginx/conf on the Docker host are immediately reflected in the corresponding directories within the container. This real-time synchronization is invaluable for development environments where rapid iteration of configuration changes is required. However, it is important to note that the readonly option means these directories can only be changed on the Docker host, not from within the container, enforcing a strict separation of concerns between host management and container runtime.
Creating Custom NGINX Images via Dockerfiles
While bind mounts offer flexibility for dynamic environments, many production deployments benefit from the immutability and reproducibility provided by custom Docker images. Creating a custom NGINX image involves writing a Dockerfile that defines the base image, copies necessary files, and sets up the environment. This approach encapsulates the configuration and content within the image itself, ensuring that the same configuration is deployed consistently across different hosts and environments. A simple yet effective way to create a custom image is to start from the official NGINX image and copy custom configuration files into it.
The Dockerfile typically begins with the FROM directive, specifying the base image. For NGINX, this is usually FROM nginx. Following this, the COPY command is used to transfer files from the build context on the host to specific locations within the container. For example, to replace the default NGINX configuration, one might use COPY nginx.conf /etc/nginx/nginx.conf. This command copies the nginx.conf file from the current directory on the host into the /etc/nginx/nginx.conf path inside the container, effectively overriding the default configuration. This method ensures that the container starts with the desired configuration already in place, eliminating the need for bind mounts or post-startup modifications.
A critical consideration when creating custom NGINX images is the handling of the CMD instruction. By default, the official NGINX image is configured to run NGINX in the foreground. However, if a custom CMD is added to the Dockerfile, it is imperative to include the -g daemon off; flag in the command. This flag instructs NGINX to run as a foreground process rather than daemonizing, which is essential for Docker to properly track the main process. Without this flag, NGINX would fork into the background, causing Docker to believe that the main process has exited and subsequently stopping the container immediately after it starts. Therefore, the CMD in the Dockerfile should be structured as CMD ["nginx", "-g", "daemon off;"] to ensure the container remains active.
Once the Dockerfile is prepared, the image is built using the docker build command. The command docker build -t custom-nginx . builds the image from the current directory and tags it as custom-nginx. This tagged image can then be deployed using the standard docker run command, such as docker run --name my-custom-nginx-container -d custom-nginx. This method of image creation is particularly useful for static configurations that do not change frequently, as it simplifies the deployment process and reduces the complexity of managing external files. However, it is important to note that out-of-the-box, NGINX does not support environment variables inside most configuration blocks. This limitation means that dynamic configuration values, such as upstream server addresses or SSL certificate paths, cannot be directly injected into the NGINX configuration files using standard Docker environment variables. Instead, alternative methods such as pre-processing configuration files or using NGINX Plus features must be employed to achieve dynamic configuration.
NGINX Plus Registry and Image Variants
For enterprises utilizing NGINX Plus, the deployment process involves additional considerations related to licensing, security, and image availability. NGINX Plus is available as a Docker container through the official NGINX Plus Docker registry, which has been accessible since NGINX Plus Release 31. This registry allows users to pull NGINX Plus images directly and upload them to private registries for internal use, enhancing security and control over the deployment pipeline. The NGINX Plus Docker registry is located at https://private-registry.nginx.com/v2/, and it offers a variety of image types to suit different deployment needs.
The registry contains several distinct image types, each designed for specific use cases. The standard NGINX Plus image is available at https://private-registry.nginx.com/v2/nginx-plus/base, providing a basic NGINX Plus installation. For environments that require a higher level of security compliance, an unprivileged installation of NGINX Plus is available at https://private-registry.nginx.com/v2/nginx-plus/rootless-base, which runs the NGINX process as a non-root user. Additionally, images bundled with the NGINX Agent are available for integration with NGINX One, the cloud-based management platform. These include the standard agent image at https://private-registry.nginx.com/v2/nginx-plus/agent and the unprivileged agent image at https://private-registry.nginx.com/v2/nginx-plus/rootless-agent. Finally, a separate image containing NGINX Plus dynamic modules is available at https://private-registry.nginx.com/v2/nginx-plus/modules, allowing for the extension of NGINX Plus functionality with additional capabilities.
The images in the NGINX Plus registry are tagged to target specific operating systems and NGINX Plus releases, ensuring compatibility with various infrastructure environments. The registry supports three primary operating system bases: Alpine, Debian, and Red Hat Enterprise Linux (RHEL). Alpine images are lightweight and suitable for minimal deployments, with tags such as r36-alpine and r36-alpine-3.20. Debian images provide a more traditional Linux environment, with tags like r36-debian and r36-debian-bookworm. RHEL images, based on the Universal Base Image (UBI), are ideal for enterprises using Red Hat ecosystems, with tags such as r36-ubi, r36-ubi-9, and r36-ubi-9-20251201. The registry typically contains images for the two most recent NGINX Plus releases, ensuring that users have access to the latest features and security updates.
The choice of image type and operating system base depends on the specific requirements of the deployment. For instance, an organization using Kubernetes with RHEL nodes might prefer the ubi images to maintain consistency with the host operating system. Conversely, a startup focused on minimal resource usage might choose the alpine images. The availability of rootless images is particularly significant for security-conscious environments, as running containers as non-root users reduces the potential impact of container escape vulnerabilities. The integration of the NGINX Agent in dedicated images simplifies the deployment of NGINX Plus in conjunction with NGINX One, enabling centralized management and monitoring of NGINX instances.
Deploying NGINX Plus with Licensing and Agent Configuration
Deploying NGINX Plus in a containerized environment requires proper licensing and, optionally, the configuration of the NGINX Agent for management purposes. The NGINX Plus license is provided in the form of a JSON Web Token (JWT) file, typically named license.jwt. This file must be made available to the NGINX Plus container at startup. By default, the license file is expected to be located at /etc/nginx/license.jwt within the container. If the license file is stored in a non-default directory on the host, its full path must be specified using the NGINX_LICENSE_PATH environment variable.
To start a Docker container with NGINX Plus, the license file is passed as an environment variable named NGINX_LICENSE_JWT. The value of this variable is the content of the license.jwt file. The following command demonstrates how to deploy an NGINX Plus container with the necessary license:
sudo docker run \
--env=NGINX_LICENSE_JWT=$(cat license.jwt) \
--restart=always \
--runtime=runc \
-d <YOUR_REGISTRY>/nginx-plus/base:<VERSION_TAG>
In this command, the $(cat license.jwt) command substitution reads the contents of the license file and passes it as the value for the NGINX_LICENSE_JWT environment variable. The --restart=always option ensures that the container automatically restarts if it stops, providing high availability. The --runtime=runc option specifies the use of the standard OCI runtime, which is compatible with most Docker deployments. The image tag <VERSION_TAG> should be replaced with the specific NGINX Plus release tag, such as r36-ubi-9.
For deployments that require integration with NGINX One, the NGINX Agent must also be configured. This involves passing additional environment variables to the container, including the NGINX One data plane key. The following command illustrates how to deploy an NGINX Plus container with the NGINX Agent:
sudo docker run \
--env=NGINX_LICENSE_JWT=$(cat license.jwt) \
--env=NGINX_AGENT_SERVER_GRPCPORT=443 \
--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com \
--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY" \
--env=NGINX_AGENT_TLS_ENABLE=true \
--restart=always \
--runtime=runc \
-d <YOUR_REGISTRY>/nginx-plus/agent:<VERSION_TAG>
In this configuration, several additional environment variables are set. The NGINX_AGENT_SERVER_GRPCPORT variable sets the GRPC port used by the NGINX Agent to communicate with the NGINX Instance Manager, typically set to 443 for secure communication. The NGINX_AGENT_SERVER_HOST variable specifies the domain name or IP address of the NGINX Instance Manager, which is agent.connect.nginx.com for the NGINX One service. It is important to note that for production environments, it is not recommended to expose the NGINX Instance Manager to public networks, and appropriate network security measures should be implemented. The NGINX_AGENT_SERVER_TOKEN variable sets the NGINX One data plane key, which is used to authenticate the agent with the management platform. Finally, the NGINX_AGENT_TLS_ENABLE=true variable enables TLS encryption for the communication between the agent and the manager, ensuring secure data transmission.
Managing NGINX Content and Configuration with Volumes
Beyond bind mounts and custom images, NGINX content and configuration files can be managed using Docker volumes. Volumes provide a more robust and portable way to persist data in containers, decoupling the data from the container lifecycle. This approach is particularly useful when multiple containers need to access the same data or when data needs to be shared between the host and the container in a more structured manner.
One method for managing NGINX content and configuration is to create a new image that defines the necessary volumes. This involves using a Dockerfile to copy the content and configuration files into the image and then defining volumes for these directories. The following Dockerfile demonstrates this approach:
FROM nginx
COPY content /usr/share/nginx/html
COPY conf /etc/nginx
VOLUME /usr/share/nginx/html
VOLUME /etc/nginx
In this Dockerfile, the content directory from the build context is copied to /usr/share/nginx/html in the container, and the conf directory is copied to /etc/nginx. The VOLUME instructions then define these directories as volumes, ensuring that they are mounted as data volumes when a container is created from this image. This approach ensures that the initial content and configuration are present in the container, while also allowing for persistent storage of these directories.
To create the new NGINX image, the docker build command is used with the -t flag to specify the image name:
docker build -t mynginx_image2 .
Once the image is built, a container can be created based on it:
docker run --name mynginx4 -p 80:80 -d mynginx_image2
This container, named mynginx4, will have the content and configuration directories defined as volumes. To interact with these volumes, a helper container can be started. This helper container shares the volumes of the main NGINX container, providing a shell interface for inspecting or modifying the files. The following command creates such a helper container:
docker run -i -t --volumes-from mynginx4 --name mynginx4_files debian /bin/bash
In this command, the --volumes-from mynginx4 option mounts all volumes defined in the mynginx4 container into the new mynginx4_files container. The -i and -t options allocate a pseudo-TTY and keep standard input open, allowing for interactive use of the bash shell. The debian image is used as the base for the helper container, providing a lightweight Linux environment. Once the helper container is running, users can access the NGINX content and configuration files as if they were local files, enabling easy management and troubleshooting. This method is particularly useful for debugging configuration issues or updating content without needing to rebuild the main NGINX container.
NGINX Container Support for Red Hat and OpenShift Environments
For organizations leveraging Red Hat Enterprise Linux (RHEL) and OpenShift, the sclorg/nginx-container repository provides Dockerfiles for building NGINX images tailored to these environments. This repository supports multiple operating system bases, including RHEL, Fedora, CentOS, and CentOS Stream, allowing users to choose the most appropriate image for their infrastructure. The supported NGINX versions and their corresponding container registry addresses are detailed in the repository documentation.
The following table outlines the availability of various NGINX versions across different operating system bases:
| Version | CentOS Stream 9 | CentOS Stream 10 | Fedora | RHEL 8 | RHEL 9 | RHEL 10 |
|---|---|---|---|---|---|---|
| 1.20 | registry.redhat.io/rhel9/nginx-120 | |||||
| 1.22 | registry.redhat.io/rhel8/nginx-122 | registry.redhat.io/rhel9/nginx-122 | ||||
| 1.22-micro | quay.io/sclorg/nginx-122-micro-c9s | registry.redhat.io/rhel8/nginx-122-micro | ||||
| 1.24 | quay.io/sclorg/nginx-124-c9s | registry.redhat.io/rhel8/nginx-124 | registry.redhat.io/rhel9/nginx-124 | |||
| 1.26 | quay.io/sclorg/nginx-126-c9s | quay.io/sclorg/nginx-126-c10s | quay.io/fedora/nginx-126 | registry.redhat.io/rhel9/nginx-126 | registry.redhat.io/rhel10/nginx-126 |
This table highlights the diversity of available images, catering to different release cycles and security requirements. For instance, the 1.22-micro version is available for CentOS Stream 9 and RHEL 8, providing a minimal image for resource-constrained environments. The 1.26 version is widely supported across CentOS Stream 9, CentOS Stream 10, Fedora, RHEL 8, RHEL 9, and RHEL 10, ensuring broad compatibility.
To build a RHEL-based NGINX image, users must have a properly subscribed RHEL machine. The process involves cloning the nginx-container repository, updating submodules, and running the make build command with the appropriate target and version. For example, to build an NGINX 1.24 image based on RHEL 9, the following commands are executed:
git clone --recursive https://github.com/sclorg/nginx-container.git
cd nginx-container
git submodule update --init
make build TARGET=rhel9 VERSIONS=1.24
This process ensures that the resulting image is compliant with Red Hat’s standards and includes the necessary dependencies for running on RHEL systems. For CentOS Stream-based images, the images are available on DockerHub or Quay.io, allowing for easy pulling and deployment. The use of Podman, the container engine preferred by Red Hat, is also supported, with commands such as podman pull registry.access.redhat.com/rhel9/nginx-124 allowing users to retrieve pre-built images from the Red Hat Container Catalog. This flexibility in image sources and build processes enables organizations to tailor their NGINX deployments to their specific infrastructure and security requirements.
Conclusion
The deployment of NGINX within containerized environments represents a significant evolution in web infrastructure management, offering enhanced scalability, portability, and consistency. Through the detailed examination of Docker and Podman mechanics, it is evident that the choice between bind mounts, custom images, and volume-based strategies depends heavily on the specific operational requirements of the organization. Bind mounts provide the flexibility for dynamic environments where configuration changes are frequent, while custom images offer the immutability and reproducibility desired in stable production deployments. The integration of NGINX Plus adds layers of complexity related to licensing and management, necessitating careful handling of JWT licenses and NGINX Agent configurations to ensure secure and managed operations.
Furthermore, the availability of specialized images for different operating systems, such as Alpine, Debian, and RHEL, allows for fine-tuned deployments that align with existing infrastructure ecosystems. The support for Red Hat and OpenShift environments through the sclorg/nginx-container repository highlights the importance of vendor-specific optimizations and compliance. As container technology continues to mature, the principles of stateless design, security through least privilege, and immutable infrastructure will remain central to effective NGINX deployment. Organizations that leverage these best practices will be better positioned to manage complex web services, ensure high availability, and maintain security in an increasingly distributed and dynamic computing landscape. The exhaustive coverage of these deployment strategies provides a robust foundation for engineers and architects to build resilient and efficient web infrastructure tailored to their unique needs.